Cybercrime is no longer monopolised by elite criminals and no longer consigned to the dark web alone. Recent investigations indicate that hackers have become much braver and are now operating in the open, using popular apps to conduct illegal dealings. Criminals are now using consumer apps like Telegram and social media platforms to trade valuable personally identifiable information (PII) such as stolen payment card details.
Data is being stored in an ever-shifting array of locations and that widening landscape is creating more opportunities for the cybercrime ‘industry’. The exploding app universe offers multiple new and vulnerable attack vectors that can act as a direct gateway to enterprise data. The widespread use of web apps for critical activities exponentially expands the potential attack surface available to the cybercrime industry, making it harder for companies to defend themselves effectively.
With that in mind, businesses have a duty to review their web app landscape and ensure the data passing over these systems is secure. One little system backdoor could lead to a major, organisation-wide breach – so it’s worth making the effort to get it right.
Why attack a web app?
Attackers keep looking for novel ways to extract information and receive commands. By operating ‘in the open’, the traffic generated can be made to appear less suspicious and therefore less likely to be blocked.
As a result, to minimise the chance of data being stolen more co-operation is required between popular app platforms and security professionals, as well as an increase in consumer awareness. Underpinning all that is a need for better data-centric security – ensuring that personally identifiable information is secured wherever it moves, not just in its home database.
As soon as you input data into a web app – whether it be WhatsApp, Facebook, Instagram or whatever – it’s not your data any more. You’ve got to assume the data you put in will exist for the rest of your life. It becomes a question of privacy and trust – do the owners of the app really just keep your data for a certain amount of time? And more importantly, what happens if they’re hacked? Where does that information go?
As a result of that risk, consumers and businesses should be very careful about what data they put on third party applications. For consumers, anything that can be used against you shouldn’t go online, and for businesses, investing in data-centric cybersecurity is a must.
The human factor
More often than not, however, breaches are a result of data owners themselves making a mistake. Every time you take on a service that makes your life easier, you also take on a bigger risk. As a result, we expect that the organisations with which we share our data are doing what they can to protect it, but in reality, there is often far less scrutiny and awareness in place than most people would expect.
Regulation can help drive companies to establish best practice, but it sets a raw baseline rather than a high watermark. Good security starts well above that benchmark. Unfortunately, most companies still can’t answer basic questions on where data is stored, who uses it and what would be lost if there’s a breach. There needs to be an increased focus on data monitoring and depth of insight – you might know something’s gone, but do you know what and how much?
The privacy question
At the heart of this debate is the question of privacy. On the one hand, companies like WhatsApp are expected to encrypt all communications that cross their platform and make sure that everything is private to the individual user in order to defend personal security. At the same time, however, there are increasing calls for large tech companies to take more responsibility for detecting potentially dangerous activity and hate speech – which would necessarily require a more ‘invasive’ level of monitoring. How should companies walk the line between guarding personal information and ensuring their systems are used responsibly?
In essence, it isn’t the third party enterprise’s responsibility to govern what data flows over a private communication channel. Much like you wouldn’t expect a telecommunications firm to monitor every call made over its network, WhatsApp cannot be responsible for the words people pass through its software.
On the other hand, however, for companies that store personal data, there is a hefty burden of responsibility. Once your data’s been stolen, it’s gone – you’ll never get it back. The people you trusted to store your data are responsible for it. Once information has been taken, whether it’s pushed across WhatsApp or posted in the mail, it’s the fault of the company that allowed the breach to happen. As a result, companies in that position must ensure they protect the personal data they hold.
One way to do this is through encryption. Encryption in transit is fairly common – almost all communications channels are encrypted, as are websites with the HTTPS protocol. Far less data at rest is encrypted, however. When data is stored on a server, it’s often not encrypted. That’s a costly oversight – encryption stops hackers getting access to personal data even if they have root access to the server or have physically stolen the hard drive. By protecting the data itself – rather than the box it’s sitting in – you vastly increase your chances of keeping it safe.
By nature, encryption does let some people and apps in – the ones with the decryption key. However, that brings us back to where we came in. Almost all breaches are caused by authorised ‘users’ – which often means an app that’s been granted the use of that data. Apps have easily exploited vulnerabilities, which makes them easy to use to get in to encrypted data. It’s like in the movies when the villain knocks out a security guard and then uses their eye to activate a retinal scanner.
So where does that leave us? In short, you have to protect data at rest, in transit and in all forms of application. The rise of web apps presents a whole raft of new risks – so careful monitoring of data access is essential. Your apps don’t have to be a gateway to your company data – but you have to make sure you have the right systems in place to keep them secure.
By Terry Ray, SVP at Imperva
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/